OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 306 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
317 begin = position; | 317 begin = position; |
318 } | 318 } |
319 } | 319 } |
320 | 320 |
321 void ContentSecurityPolicy::reportAccumulatedHeaders( | 321 void ContentSecurityPolicy::reportAccumulatedHeaders( |
322 LocalFrameClient* client) const { | 322 LocalFrameClient* client) const { |
323 // Notify the embedder about headers that have accumulated before the | 323 // Notify the embedder about headers that have accumulated before the |
324 // navigation got committed. See comments in | 324 // navigation got committed. See comments in |
325 // addAndReportPolicyFromHeaderValue for more details and context. | 325 // addAndReportPolicyFromHeaderValue for more details and context. |
326 DCHECK(client); | 326 DCHECK(client); |
327 for (const auto& policy : m_policies) { | 327 WebVector<WebContentSecurityPolicy> policies(m_policies.size()); |
328 client->didAddContentSecurityPolicy( | 328 for (size_t i = 0; i < m_policies.size(); ++i) |
329 policy->header(), policy->headerType(), policy->headerSource(), | 329 policies[i] = m_policies[i]->exposeForNavigationalChecks(); |
330 {policy->exposeForNavigationalChecks()}); | 330 client->didAddContentSecurityPolicies(policies); |
331 } | |
332 } | 331 } |
333 | 332 |
334 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( | 333 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( |
335 const String& header, | 334 const String& header, |
336 ContentSecurityPolicyHeaderType type, | 335 ContentSecurityPolicyHeaderType type, |
337 ContentSecurityPolicyHeaderSource source) { | 336 ContentSecurityPolicyHeaderSource source) { |
338 size_t previousPolicyCount = m_policies.size(); | 337 size_t previousPolicyCount = m_policies.size(); |
339 addPolicyFromHeaderValue(header, type, source); | 338 addPolicyFromHeaderValue(header, type, source); |
340 if (document() && document()->frame()) { | 339 if (document() && document()->frame()) { |
341 // Notify about the new header, so that it can be reported back to the | 340 // Notify about the new header, so that it can be reported back to the |
342 // browser process. This is needed in order to: | 341 // browser process. This is needed in order to: |
343 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / | 342 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / |
344 // short-term). | 343 // short-term). |
345 // 2) enforce CSP in the browser process (long-term - see | 344 // 2) enforce CSP in the browser process (long-term - see |
346 // https://crbug.com/376522). | 345 // https://crbug.com/376522). |
347 // TODO(arthursonzogni): policies are actually replicated (1) and some of | 346 // TODO(arthursonzogni): policies are actually replicated (1) and some of |
348 // them are (or will) be enforced on the browser process (2). Stop doing (1) | 347 // them are enforced on the browser process (2). Stop doing (1) when (2) is |
349 // when (2) is finished. | 348 // finished. |
350 | 349 WebVector<WebContentSecurityPolicy> policies(m_policies.size() - |
351 // Zero, one or several policies could be produced by only one header. | 350 previousPolicyCount); |
352 std::vector<blink::WebContentSecurityPolicy> policies; | 351 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) { |
353 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) | 352 policies[i - previousPolicyCount] = |
354 policies.push_back(m_policies[i]->exposeForNavigationalChecks()); | 353 m_policies[i]->exposeForNavigationalChecks(); |
355 document()->frame()->client()->didAddContentSecurityPolicy( | 354 } |
356 header, type, source, policies); | 355 document()->frame()->client()->didAddContentSecurityPolicies(policies); |
357 } | 356 } |
358 } | 357 } |
359 | 358 |
360 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { | 359 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { |
361 m_overrideInlineStyleAllowed = value; | 360 m_overrideInlineStyleAllowed = value; |
362 } | 361 } |
363 | 362 |
364 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { | 363 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { |
365 // Create a temporary CSPSource so that 'self' expressions can be resolved | 364 // Create a temporary CSPSource so that 'self' expressions can be resolved |
366 // before we bind to an execution context (for 'frame-ancestor' resolution, | 365 // before we bind to an execution context (for 'frame-ancestor' resolution, |
(...skipping 1277 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1644 if (SecurityOrigin::shouldUseInnerURL(url)) { | 1643 if (SecurityOrigin::shouldUseInnerURL(url)) { |
1645 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( | 1644 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( |
1646 SecurityOrigin::extractInnerURL(url).protocol(), area); | 1645 SecurityOrigin::extractInnerURL(url).protocol(), area); |
1647 } else { | 1646 } else { |
1648 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( | 1647 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( |
1649 url.protocol(), area); | 1648 url.protocol(), area); |
1650 } | 1649 } |
1651 } | 1650 } |
1652 | 1651 |
1653 } // namespace blink | 1652 } // namespace blink |
OLD | NEW |